Hard National Security Choices

I’d like to briefly address two articles in the news today on U.S. cyber-attack strategy, one the New York Timespiece that Jack already commented on and the other a Washington Post editorial. The Times reports on a “secret legal review on the use of America’s growing arsenal of cyberweapons has concluded that President Obama has the broad power to order a pre-emptive strike if the United States detects credible evidence of a major digital attack looming from abroad.” The Post, following up on its recent reporting by Ellen Nakashima that U.S. Cyber Command is dramatically expanding and reorganizing, laments that “[o]ne large missing piece is a declaratory policy similar to that used for nuclear weapons in the Cold War, when nuclear policy was openly debated without divulging important secrets.” I have interrelated concerns and questions about both pieces.

The New York Times piece was a head-scratcher for me. For starters, although I don’t like it when legal bloggers nitpick journalists’ efforts to summarize technical legal issues, in this case it’s a story all about a legal analysis for which precise categorization is important – indeed, it’s about the executive branch’s legal claims in an area where the big debates are very much about appropriate categorization. So, I was surprised by some bizarre references to, for example, “declared wars,” as well as almost any clarity throughout the article about which “rules” are considered binding as a matter of law versus policy, or domestic versus international law.

Focusing on the main report of the piece that the President claims power to order pre-emptive cyber-attacks, the Times report then draws parallels to the claimed authority for the Obama administration’s counter-terrorism drone strikes in places like Yemen and Pakistan, and to the Bush Administration’s 2003 Iraq war justification (as an aside, under my breath: here it repeats the frequent error in asserting that preemption was the Bush Administration’s central legal argument). In those other cases, though, there’s no serious question that U.S. actions constitute military force and that a major al Qaida terrorist bombing or a WMD strike by Iraq would constitute an armed attack; the key issue is under what conditions could the U.S. take self-defensive military action in anticipation of a foreseeable future threat. Such analogies are only directly legally relevant, though, to the extent that cyber-attacks – those directed at us, and those we might use in self-defense – also constitute “force” or “armed attacks” for the purposes of the UN Charter and customary international law of self-defense. In the past, some Obama Administration lawyers such as Harold Koh have spoken to this issue, and one of the interesting but buried aspects of this Times story is how the U.S. government is converting that legal analysis into specific guidance and its own state practice.

This also raises a strategic question, which relates to the Washington Post piece: to what extent does the U.S. government desire to communicate the rules and lines it’s drawing to the rest of the world, either because it’s trying to shape international norms or because strategically it’s trying to deter cyber-attacks. After all, deterrent threats only work if they’re communicated to the adversary (see Dr. Strangelove), though this could be achieved in a number of ways, including proclaiming them publicly, demonstrating them through visible actions, or… leaking them to a major paper.

The Post editorial calls for, among other things, a public declaratory policy about when we will use cyber-attacks, comparing this historically to U.S. nuclear doctrine. That may or may not be a good idea strategically, among other things because sometimes ambiguity is better than clarity in deterring attacks. What’s odd about this editorial, though, is that this recommendation is pitched not as a strategic imperative but for democratic accountability and out of concern about inadequate public scrutiny. Cold War and post-Cold War nuclear declaratory policy was deliberately integrated with strategic doctrine, not for democratic transparency. If we’re looking for institutional checks on executive branch cyber-doctrine, I question whether declaratory policies are so useful. In general declaratory policies (because they are intended to be lasting) should come at the end of a process of careful deliberation, not as a way of prompting it.

About the Author

About the Author

Matthew Waxman is a law professor at Columbia Law School, where he
co-chairs the Roger Hertog Program on Law and National Security. He
is also Adjunct Senior Fellow for Law and Foreign Policy at the
Council on Foreign Relations and a member of the Hoover Institution
Task Force on National Security and Law. He previously served in
senior policy positions at the State Department, Defense Department,
and National Security Council. After graduating from Yale Law School,
he clerked for Judge Joel M. Flaum of the U.S. Court of Appeals and
Supreme Court Justice David H. Souter.

Brookings Logo

Lawfare is Published by The Lawfare Institute in Cooperation With

Today, Israeli Prime Minister Benjamin Netanyahu delivered a speech before a joint session of Congress on a potential U.S. nuclear treaty with Iran. During the address, he declared, “This is a bad deal – a very bad deal. We’re better off without it.” NPR shares further analysis of Netanyahu’s speech. Partisan drama has surrounded the . . . Read more »

Search

Search

Site
Wiki

Ad

Support Lawfare

Support Lawfare

The Lawfare Institute is a not-for-profit educational organization devoted to the publication of this site. The Lawfare Institute is a 501(c)(3) tax exempt organization. You can support Lawfare with a contribution of any size. Our mailing address for checks is: P.O. Box 33226, Washington DC 20033-3226. You can also contribute using credit cards or Paypal by clicking on this button.

Support Lawfare By Buying from Amazon

Lawfare is an Amazon affiliate site. Every time you use this search box to buy from Amazon, you raise money for Lawfare.